Detection of default account usage such as Guest or Administrator performing interactive or remote logons on systems outside of installation or maintenance windows.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Field | Description |
|---|---|
| UserContext | Default usernames like 'Administrator' or 'Guest' may be renamed or disabled by the organization. Detection logic should account for name changes. |
| TimeWindow | Restrict detection to unusual hours or outside of expected maintenance windows. |
Monitoring for SSH logins from default accounts such as 'root', especially when login is via password and not key-based authentication.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | auditd:USER_LOGIN | USER_LOGIN |
| Field | Description |
|---|---|
| SSHMethod | Environments using passwordless SSH should not have password logins enabled for root or other default accounts. |
| RemoteIPWhitelist | Logins from jump boxes may be whitelisted depending on environment policies. |
Use of known default service accounts or root-level cloud accounts performing authentication or changes to IAM policy.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | AWS:CloudTrail | ConsoleLogin or AssumeRole |
| Field | Description |
|---|---|
| AccountList | Organizations may rename or rotate default IAM accounts; detection logic should be updated with any renamed or aliased default identities. |
| GeoLocation | Authentication attempts from unusual geographic regions should trigger anomaly detection. |
Abuse of system-generated or default privileged accounts such as 'root' or 'vpxuser' logging into ESXi hosts.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | esxi:auth | /var/log/auth.log |
| Field | Description |
|---|---|
| AccountName | If 'vpxuser' is replaced or configured differently, detection logic must reflect the change. |
| IPRange | Legitimate vCenter IP ranges may be whitelisted to avoid false positives. |
Login activity from default admin credentials (e.g., 'admin', 'cisco') on routers, firewalls, and switches.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | networkdevice:syslog | authentication logs |
| Field | Description |
|---|---|
| Username | Default usernames vary by vendor; defenders should adapt logic to their specific appliance list. |
| InterfaceType | Telnet and HTTP-based access to network devices should be blocked and monitored if enabled. |